Stunnel won`t start after pfsense restart!


  • Hi
    i installed a stunnel v4.43.0 on pfsense 2.1 and work perfectly. after firs restart, it won`t start again without any log!

    i can start it after a remove and re-install the package .

    how can i fix this ?

    thanks.


  • finally found the solution.

    stunnel can`t create a folder in /var/tmp/stunnel /var/tmp/run/stunnel for chroot and .pid .

    follow this:

    1- mkdir /usr/local/etc/stunnel/run or /tmp

    2- chown -R stunnel:stunnel /usr/local/etc/stunnel/run

    3- ee /usr/local/pkg/stunnel.inc

    replace "/var/tmp/stunnel" to "/usr/local/etc/stunnel/run" on line : 120 , 206 , 217 ,234

    add " fwrite($fout, "pid = /stunnel.pid \n"); " to line 123

    4- config stunnel and done.


  • @nimamhd:

    finally found the solution.

    stunnel can`t create a folder in /var/tmp/stunnel /var/tmp/run/stunnel for chroot and .pid .

    follow this:

    1- mkdir /usr/local/etc/stunnel/run or /tmp

    2- chown -R stunnel:stunnel /usr/local/etc/stunnel/run

    3- ee /usr/local/pkg/stunnel.inc
     
      replace "/var/tmp/stunnel" to "/usr/local/etc/stunnel/run" on line : 120 , 206 , 217 ,234
     
      add " fwrite($fout, "pid = /stunnel.pid \n"); " to line 123

    4- config stunnel and done.

    Is this something that can get added to the package?


  • Yes, i think Stunnel package need some updates for PFsense 2.1


  • Took me some time to find this thread and to solve the problem. Thx for the solution.

    What about a stunnel update? Will there be a new version?


  • Thank you for your reply .  :)

    yes the Stunnel version 5 is available.

    https://www.stunnel.org/downloads.html


  • I would really appreciate a new version. It's really endless simple to use it for enabling ssl support for ftp, webmail, etc…


  • @Rossi:

    It's really endless simple to use it for enabling ssl support for ftp, webmail, etc…

    Stunnel does not support FTP as far as i know, but for most other Stunnel server functionality you should be able to use HAPoxy-devel package.

    But I still vote for having new package for Stunnel 5 with all new functionality included!


  • Well, you are right… never tried it with ftp but several other services and all of them were really quick and easy to setup.


  • Looks like it is a bit urgent now. I guess I will dissable stunnel until it's patched.


  • As you know about Heartbleed, i can`t wait for Stunnel package new update, how can i manually update this?

    The recently new version of Stunnel is available .


  • We have the same problem here, and being a new PFSense user, I really don't want to be hacking around on it and expect that it will work long-term for our fairly critical environment.

    Is there an alternative to what STunnel does on PFsense, or is it the only official package?

    Based on prior history, do you all think that there will be a package that will fix this issue and get us to the new heartbleed-proof version?

    Thanks!


  • I use Zebedee Package too. it`s simple and powerful.

    you can visit http://www.winton.org.uk/zebedee/ for more info.

    if you have any problem, don't be hesitate to post it.  :)


  • I just encountered this issue today.

    I reinstalled the stunnel package and still was not able to launch stunnel.
    I ssh-ed into my pfsense box and did

    find / | grep stunnel
    

    the result from the above command lead me to examine /usr/local/etc/rc.d/stunnel.sh

    cat /usr/local/etc/rc.d/stunnel.sh
    

    which returned

    
    #!/bin/sh
    # This file was automatically generated
    # by the pfSense service handler.
    
    rc_start() {
            /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf
    
    }
    
    rc_stop() {
            killall stunnel
    
    }
    
    case $1 in
            start)
                    rc_start
                    ;;
            stop)
                    rc_stop
                    ;;
            restart)
                    rc_stop
                    rc_start
                    ;;
    esac
    
    

    This suggested that /usr/local/etc/stunnel/stunnel.conf is used as the configuration file so I followed with

    cat /usr/local/etc/stunnel/stunnel.conf
    

    to examine the file, which in turn showed

    
    cert = /usr/local/etc/stunnel/stunnel.pem
    chroot = /var/tmp/stunnel
    setuid = stunnel
    setgid = stunnel
    
    

    Manually running the following on the command line

    /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf
    

    confirmed that stunnel was exiting because there was no actual tunnel endpoints set up.

    So I went back to the WebGUI under Services > Stunnel, and took a look at the Tunnels tab where I had 3 tunnel endpoints configured. I figured that clicking the edit button on each entry and then clicking the save button would repopulate the /usr/local/etc/stunnel/stunnel.conf file so I clicked 'edit' and subsequently 'save' for each of my tunnel endpoints.

    As a precaution I navigated to the Certificates tab and did the same edit-save procedure for each of my three certificates.

    I then went back to the command line and made sure my clicking around had an effect. I ran

    cat /usr/local/etc/stunnel/stunnel.conf
    

    and was glad to see that my clicking around the GUI wasn't in vain; the file was populated with configuration parameters defining my endpoints.

    I then manually started stunnel from the commmand line with

    /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf
    

    and my stunnel is up and running again (also shows green on the Status > Services section).

    I haven't yet restarted the firewall and don't know if the solution will persist or not.

    Best regards,

    V